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Report  No.  D-2001-168  August  2,  2001 

(Project  No.  D2001AL-0072) 

Acquisition  Management  of  the  Global  Transportation  Network 

Executive  Summary 


Introduction.  This  report  discusses  the  acquisition  management  of  the  Global 
Transportation  Network  by  the  U.S.  Transportation  Command.  This  report  is  one  in  a 
series  of  audit  reports  addressing  DoD  acquisition  management  of  information 
technology  systems. 

The  Global  Transportation  Network  is  a  central  database  system  that  augments  the 
business  process  of  the  U.S.  Transportation  Command  for  managing  and  controlling 
in-transit  assets.  In  addition,  the  Global  Transportation  Network  allows  more  than 
6,000  registered  users  to  monitor  movements  of  resources  affecting  the  readiness  of 
missions.  Since  achieving  initial  operating  capability  in  April  1997,  the  Global 
Transportation  Network  processes  more  than  2  million  transactions  per  day. 

The  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence)  designated  the  Global  Transportation  Network  as  a  Major  Automated 
Information  System  (Acquisition  Category  I  AM).  The  U.S.  Transportation  Command 
funds  Global  Transportation  Network  development,  deployment,  and  operations  and 
maintenance  with  its  Transportation  Working  Capital  Fund.  Through  FY  2005,  Global 
Transportation  Network  costs  will  amount  to  $300  million.  In  addition,  $211  million  is 
programmed  for  FY  2002  through  FY  2007  for  system  modernization. 

Objective.  The  overall  audit  objective  was  to  evaluate  the  acquisition  management  of 
the  Global  Transportation  Network.  Specifically,  the  audit  determined  whether  the 
system  was  being  cost-effectively  acquired,  monitored,  tested,  and  prepared  for 
deployment  and  system  life-cycle  support  in  accordance  with  DoD  Directive  5000.1, 
“Defense  Acquisition,”  October  23,  2000,  and  DoD  Directive  5200.28,  “Security 
Requirements  for  Automated  Information  Systems  (AISs),”  March  21,  1988.  We  also 
evaluated  the  management  control  program  related  to  the  objective.  See  Appendix  A 
for  a  discussion  of  the  audit  scope  and  methodology  and  the  review  of  the  management 
control  program. 

Results.  The  U.S.  Transportation  Command  cost-effectively  acquired,  monitored, 
tested,  and  prepared  the  Global  Transportation  Network  for  deployment  and  system 
life-cycle  support  in  compliance  with  Office  of  Management  and  Budget  and  DoD 
guidance.  It  was  able  to  obtain  an  information  technology  system  that  augmented  its 


mission-essential  and  mission-critical  business  processes  as  well  as  the  needs  of  its 
customers  within  cost,  schedule,  and  performance  baselines.  Further,  the  U.S. 
Transportation  Command’s  management  controls  were  adequate  in  that  we  identified  no 
material  management  control  weaknesses  in  its  acquisition  of  the  Global  Transportation 
System. 

Management  Comments.  We  provided  a  draft  of  this  report  on  June  18,  2001. 
Because  this  report  contains  no  recommendations,  no  written  response  to  this  report 
was  required,  and  none  was  received. 
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Background 


Global  Transportation  Network.  The  Global  Transportation  Network  (GTN)  is 
a  U.S.  Transportation  Command  (USTRANSCOM)  information  technology 
investment  that  augments  the  USTRANSCOM  business  process  for  managing  and 
controlling  in-transit  assets.  Further,  it  allows  authorized  users  to  monitor 
passengers,  patients,  forces,  and  cargo.  The  GTN  receives  and  stores  logistics 
data  from  more  than  50  source  systems  with  interface  links  to  more  than 
100  secondary  systems.  In  addition,  GTN  passes  data  to  the  Global  Combat 
Support  System,  the  Joint  Total  Asset  Visibility  System,  and  the  Joint  Operation 
Planning  and  Execution  System.  The  GTN  processes  more  than  2  million 
transactions  per  day,  with  data  access  to  more  than  6,000  registered  users.  The 
GTN  achieved  initial  operating  capability  in  April  1997. 

System  Configuration.  The  GTN  is  a  central  database  system  that  is 
configured  with  web-based  server  access.  Authorized  users  extract  information 
from  the  GTN  database  and  display  it  on  desktop  monitors  or  notebook 
computer  screens.  The  GTN  does  not  create  new  information  from  stored  data. 
The  classified  and  unclassified  database  servers  reside  at  Scott  Air  Force  Base, 
Illinois  with  back-ups  at  Robins  Air  Force  Base,  Georgia.  Access  to  the 
classified  servers  is  through  the  Secret  Internet  Protocol  Router  Network.1 

Oversight  and  Management.  The  Assistant  Secretary  of  Defense  (Command, 
Control,  Communication,  and  Intelligence)  (ASD(C3I))  designated  GTN  as  an 
acquisition  category  IAM  Major  Automated  Information  System.2  The 
ASD(C3I)  is  also  the  milestone  decision  authority  for  the  acquisition.  Executive 
agent  responsibility  for  GTN  was  assigned  to  the  Air  Force,  and  program 
management  was  assigned  to  the  Chief  Information  Officer,  USTRANSCOM. 
Lockheed  Martin  Mission  Systems  performs  system  integration,  and  the  Program 
Management  Office  and  USTRANSCOM  perform  information  security  services 
with  support  from  MITRE  Corporation.  It  should  be  noted  that  USTRANSCOM 
was  recognized  by  the  National  Security  Agency  for  excellence  in  the  field  of 
information  system  security.  In  1998,  USTRANSCOM  received  the  Frank  B. 
Rowlett  Award  for  organizational  achievement. 

Funding.  The  USTRANSCOM  funds  GTN  development,  deployment,  and 
operation  and  maintenance  with  its  Transportation  Working  Capital  Fund. 
Through  FY  2005,  GTN  costs  will  amount  to  $300  million.  In  addition, 

$211  million  is  programmed  for  FY  2002  through  FY  2007  for  GTN 
modernization. 


1  The  Secret  Internet  Protocol  Router  Network  is  the  DoD  wide  area  network  for  transferring  classified 
information  between  computer  systems. 

2  Programs  are  defined  as  Acquisition  Category  IA  automated  information  systems  if  costs  for  any  single 
year  exceed  $32  million  (FY  2000  constant  dollars),  total  program  cost  exceeds  $126  million,  total  life- 
cycle  costs  exceed  $378  million,  or  if  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communication,  and  Intelligence)  designates  them  as  Acquisition  Category  IA  systems. 
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Objective 


The  overall  audit  objective  was  to  evaluate  the  acquisition  management  of  GTN. 
Specifically,  the  audit  determined  whether  the  system  was  being  cost-effectively 
acquired,  monitored,  tested,  and  prepared  for  deployment  and  system  life-cycle 
support  in  accordance  with  DoD  Directive  5000.1,  “Defense  Acquisition,” 
October  23,  2000,  and  DoD  Directive  5200.28,  “Security  Requirements  for 
Automated  Information  Systems  (AISs),”  March  21,  1988.  We  also  evaluated 
the  management  control  program  related  to  the  objective.  See  Appendix  A  for  a 
discussion  of  the  audit  scope  and  methodology  and  the  review  of  the 
management  control  program. 
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Acquisition  Management  of  the  Global 
Transportation  Network 

The  U.S.  Transportation  Command  cost-effectively  acquired,  monitored, 
tested,  and  prepared  GTN  for  deployment  and  system  life-cycle  support 
in  compliance  with  Office  of  Management  and  Budget  and  DoD 
guidance.  This  condition  occurred  because  the  GTN  Program 
Management  Office  at  the  U.S.  Transportation  Command  managed 
acquisition  risks  and  applied  management  controls  for  the  information 
technology  investment.  Further,  the  Assistant  Secretary  of  Defense 
(Command,  Control,  Communications,  and  Intelligence)  participated  in 
management  decisions  affecting  the  investment’s  outcome.  As  a  result, 
the  U.S.  Transportation  Command  obtained  an  information  technology 
system  that  augmented  its  mission-essential  and  mission-critical  business 
processes  and  the  needs  of  its  customers  within  cost,  schedule,  and 
performance  baselines. 

Mandatory  Guidance 


The  Office  of  Management  and  Budget  and  the  DoD  provide  managers  with 
guidance  for  acquiring  information  technology  investments  and  safeguarding 
information.  Risks  are  mitigated  when  program  offices  comply  with  guidance, 
policies,  and  procedures.  Management  controls  are  also  implemented  for  cost, 
schedule,  performance,  and  information  security.  Appendix  B  describes  the 
guidance  as  it  relates  to  the  GTN  acquisition. 

Risk  Management  and  Management  Controls 

The  USTRANSCOM  deployed  an  operationally  effective  and  suitable  GTN  by 
managing  system  acquisition  risks  and  applying  management  controls.  In 
compliance  with  Office  of  Management  and  Budget  and  DoD  guidance, 
USTRANSCOM: 

•  involved  users  and  testers, 

•  provided  funding  stability  for  the  investment, 

•  staffed  the  acquisition  with  trained  and  experienced  personnel, 

•  developed  and  operated  a  system  prototype, 

•  applied  and  monitored  security  controls  throughout  the  system’s  life 
cycle,  and 

•  monitored  the  efficiency  and  effectiveness  of  program  progress  and 
results. 

The  Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and 
Intelligence)  participated  in  management  decisions  affecting  the  information 
technology  investment’s  outcome. 
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User  and  Tester  Involvement.  The  GTN  was  a  joint  development  and 
deployment  effort  within  USTRANSCOM.  Requirements  were  compiled  and 
prioritized  by  the  Directorate  of  Operations  and  Logistics.  The  requirements 
were  also  organized  and  refined  by  the  Program  Management  Office  and 
functional  integrated  product  teams  to  determine  best  solutions.  Further, 
planning  and  execution  of  the  GTN  test  program  was  a  combined  effort  of  the 
Program  Management  Office,  the  contractors,  the  Air  Force  Operational  Test 
and  Evaluation  Center,  the  Joint  Interoperability  Test  Command,  and  the  Air 
Force  Information  Warfare  Center.  As  a  result  of  involvement  by  system 
stakeholders,  USTRANSCOM  deployed  an  information  technology  system  that 
satisfied  operational  requirements  and  specifications. 

Funding  Stability.  Stable  funding  allowed  the  GTN  system  acquisition  to 
progress  without  delays.  Beginning  in  FY  2000  and  extending  through 
FY  2002,  more  than  39  percent  of  the  capital  budget  for  USTRANSCOM  for 
externally  developed  software  was  budgeted  for  GTN.  As  a  result  of  this 
financial  commitment,  GTN  customers  could  depend  on  system  improvements 
and  enhancements. 

Trained  and  Experienced  Acquisition  Personnel.  The  USTRANSCOM  staffed 
the  GTN  Program  Management  Office  with  a  trained  and  experienced  workforce. 
Of  the  20  individuals  assigned  to  the  GTN  Program  Management  Office,  10  had 
either  been  certified  as  acquisition  professionals3  or  had  completed  training  to 
satisfy  certification  requirements.  Further,  the  Program  Management  Office 
requested  that  USTRANSCOM  expand  the  number  of  positions  requiring 
certification.  The  actions  taken  by  the  Program  Management  Office  enabled  the 
GTN  to  obtain  and  sustain  a  highly  qualified  acquisition  workforce. 

Prototypes.  The  USTRANSCOM  benefited  from  lessons  learned  from  GTN 
prototype  developments  and  deployments.  The  first  GTN  prototype,  developed 
in  1990,  reported  information  extracted  from  multiple  database  systems.  When 
the  GTN  prototype  was  deployed  in  Southwest  Asia  for  Operation  Desert 
Shield,  developers  discovered  that  the  prototype  experienced  technical  problems 
when  transferring  and  managing  large  volumes  of  data.  As  a  result,  a  second 
prototype  was  developed  during  1993  and  1994.  This  second  prototype 
streamlined  the  data-gathering  process  by  periodically  receiving  data  from 
multiple  sources  and  storing  it  in  a  central  database  for  extraction  by  authorized 
users.  Developers  used  the  prototype  to  refine  GTN  requirements,  determine 
technical  capabilities  needed  to  deliver  requirements,  and  obtain  user  feedback. 
System  prototyping  enabled  users  and  personnel  in  the  Program  Management 
Office  to  have  a  common  understanding  of  business  process  requirements  and  an 
appreciation  of  technology  alternatives  and  report  presentations  before  the 
information  technology  investment  proceeded  to  full-scale  development. 


3  DoD  issues  Acquisition  Professional  Development  Program  Certifications  to  individuals  meeting 
education,  training,  and  experience  standards  in  accordance  with  DoD  Directive  5000. 52-M, 
“Acquisition  Career  Development  Program,”  November  22,  1995. 
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Information  Security  and  Data  Integrity.  In  October  2000,  after  complying 
with  DoD  guidance  for  information  technology  system  certification  and 
accreditation,  USTRANSCOM  granted  GTN  an  information  security  approval 
to  operate.  Further,  USTRANSCOM  took  additional  steps  to  monitor  the 
effectiveness  and  reliability  of  GTN  information. 

Security  Effectiveness.  When  the  Program  Management  Office 
submitted  the  GTN  for  information  security  accreditation,  it  requested  a  1  year 
rather  than  a  3  year  approval  to  operate.  Despite  quarterly  Security  Working 
Group  meetings  and  tools  installed  for  monitoring  system  security,  the  GTN 
Program  Management  Office  believed  that  certification  and  accreditation  would 
not  be  valid  beyond  12  months  due  to  the  rapid  rate  that  information  technology 
changes.  As  a  result,  USTRANSCOM  required  an  analysis  of  GTN  security 
controls  to  be  conducted  each  year  to  determine  the  need  for  recertification  and 
reaccreditation  as  a  condition  for  approval  to  operate. 

Data  Reliability.  The  GTN  depends  on  reliable  feeder  system 
information  for  system  effectiveness.  Untimely  and  inaccurate  data  can 
compromise  the  quality  of  GTN  information.  Recognizing  this  vulnerability, 
the  Program  Management  Office  implemented  edits  for  validating  data  and 
maintains  daily  metrics  for  monitoring  rejection  rates.  However,  edits  cannot 
entirely  eliminate  invalid  data.  Untimely  and  inaccurate  information  can  still 
populate  the  database. 

Monitoring  Program  Progress  and  Results.  The  Program  Management  Office 
continually  monitors  program  progress  and  results  for  the  GTN  system 
acquisition.  By  translating  system  requirements  to  system  products  and  linking 
documentation  to  planning  and  budgeting  cycles  for  life-cycle  estimates,  the 
Program  Management  Office  developed  baselines  for  measuring  cost,  schedule, 
and  performance  effectiveness  and  efficiency.  As  demonstrated  by  the  quarterly 
Defense  Acquisition  Executive  Summaries  and  monthly  progress  reports,  the 
Program  Management  Office  has  integrated  cost,  schedule,  and  performance 
management  controls  into  the  acquisition  process. 

Office  of  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  Oversight.  From  reviews  of  program 
status  reports  and  documents,  briefings,  and  budget  submissions,  the  ASD(C3I) 
monitored  GTN  program  progress  and  results.  Also,  the  ASD(C3I)  offered 
constructive  suggestions  when  USTRANSCOM  coordinated  GTN  program 
decisions.  Although  the  USTRANSCOM  initially  programmed  the  GTN 
modernization  as  a  major  modification  to  the  existing  system,  the  ASD(C3I) 
believed  the  documentation  supporting  the  modernization  could  qualify  the  GTN 
as  a  new  information  technology  investment. 
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After  discussions  and  briefings,  the  ASD(C3I)  and  USTRANSCOM  jointly 
agreed  to  ask  for  additional  review  by  the  Under  Secretary  of  Defense 
(Comptroller)4.  The  Comptroller  determined  that  the  modernization  was  a  new 
acquisition,  and  USTRANSCOM  revised  its  FY  2002  budget  submission  to 
reflect  the  change. 

Conclusion 

USTRANSCOM  cost-effectively  acquired,  monitored,  tested,  and  prepared 
GTN  for  deployment  and  system  life-cycle  support  by  managing  risks  and 
applying  management  controls  in  compliance  with  Office  of  Management  and 
Budget  and  DoD  guidance.  As  a  result,  USTRANSCOM  can  better  plan  and 
manage  movements  of  resources  to  and  from  areas  of  national  and  international 
interests  and  GTN  authorized  users  can  better  monitor  movements  of  resources 
affecting  the  readiness  of  missions.  Therefore,  because  the  GTN  information 
technology  investment  met  user  requirements  within  cost,  schedule,  and 
performance  baselines,  no  report  recommendations  are  being  made. 


4DoD  Regulation  7000. 14-R,  “DoD  Financial  Management  Regulation,”  August  2000,  requires  that  DoD 
Components  coordinate  new  starts  for  system  acquisitions  with  the  Office  of  Under  Secretary  of 
Defense  (Comptroller). 
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Appendix  A.  Audit  Process 


Scope 


Work  Performed.  We  conducted  this  program  audit  from  January  through 
May  2001  and  reviewed  documentation  dated  from  June  1992  through 
May  2001.  To  accomplish  the  audit  objective,  we: 

•  Interviewed  officials  and  obtained  documentation  from  the  offices  of 
ASD(C3I),  the  Air  Force  Program  Executive  Office  for  Command 
and  Control  and  Combat  Support  Systems,  Headquarters 
USTRANSCOM,  the  GTN  Program  Management  Office,  and 
contractor  personnel. 

•  Reviewed  available  documents  related  to  program  requirements, 
definition,  assessments,  and  development;  decision  reviews;  program 
status  reporting;  information  system  security;  and  oversight. 

•  Evaluated  the  adequacy  of  management  controls  related  to  the 
acquisition  of  GTN  information  technology  investment. 

DoD-Wide  Corporate  Level  Government  Performance  and  Results  Act 
Coverage.  In  response  to  the  Government  Performance  and  Results  Act,  the 
Secretary  of  Defense  annually  establishes  DoD-wide  corporate  level  goals, 
subordinate  performance  goals,  and  performance  measures.  This  report  pertains 
to  achievement  of  the  following  goal,  subordinate  performance  goal,  and 
performance  measure: 

FY  2001  DoD  Corporate  Level  Goal  2:  Prepare  now  for  an  uncertain 
future  by  pursuing  a  focused  modernization  effort  that  maintains  U.S. 
qualitative  superiority  in  key  warfighting  capabilities.  Transform  the 
force  by  exploiting  the  Revolution  in  Military  Affairs,  and  reengineer 
the  Department  to  achieve  a  21st  century  infrastructure.  (Ol-DoD-2) 

FY  2001  Subordinate  Performance  Goal  2.5:  Improve  DoD 
financial  and  information  management.  (Ol-DoD-2.5) 

Performance  Measure  2.5.3:  Qualitative  Assessment  of  Reforming 
Information  Technology  Management.  (Ol-DoD-2.5.3) 
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DoD  Functional  Area  Reform  Goals.  Most  major  DoD  functional  areas  have 
performance  improvement  reform  objectives  and  goals.  This  report  pertains  to 
achievement  of  the  following  functional  area  objectives  and  goals: 

Information  Management  Functional  Area. 

•  Objective.  Provide  services  that  satisfy  customer  information  needs. 
Goal.  Introduce  new  paradigms.  (IM-2.4) 

•  Objective.  Reform  information  technology  management  processes  to 
increase  efficiency  and  mission  contribution. 

Goal.  Institutionalize  Clinger-Cohen  Act  of  1996  provisions. 

(IM-3.1) 

Goal.  Institute  fundamental  information  technology  management 
reform  efforts.  (IM-3.2) 

Logistics  Functional  Area. 

•  Objective.  Improve  strategic  mobility  to  meet  warfighter 
requirements. 

Goal.  Develop  a  measurement  plan  and  goals  for  mobility  infrastructure 
and  mobility  process  improvements  by  the  end  of  FY  2001.  Achieve 
those  goals  by  the  end  of  FY  2006.  Both  the  plan  and  the  goals  have 
been  deferred  pending  publication  of  MRS-05.  (LOG  2.2) 

•  Objective.  Implement  Customer  Wait  Time  as  the  DoD  logistics  metric. 

Goal.  Develop  the  process  for  definition  and  measurement  of 
Customer  Wait  Time  by  the  end  of  FY  2001.  (LOG-3.1) 

Goal.  Fully  implement  Customer  Wait  Time  measurement  for 

100  percent  of  all  selected  segments  by  the  end  of  FY  2006.  (LOG-3.2) 

General  Accounting  Office  High-Risk  Area.  The  General  Accounting  Office 
identified  several  high-risk  areas  in  the  DoD.  This  report  provides  coverage  of 
the  Information  Security  and  DoD  Systems  Modernization  high-risk  areas. 

Methodology 


We  conducted  this  program  audit  in  accordance  with  auditing  standards  issued 
by  the  Comptroller  of  the  United  States,  as  implemented  by  the  Inspector 
General,  DoD.  Accordingly,  we  included  tests  of  management  controls 
considered  necessary.  We  did  not  use  computer-processed  information  to 
perform  this  audit.  We  comply  with  Government  Auditing  Standards  except  for 
the  requirement  for  an  external  quality  control  review.  Measures  have  been 
taken  to  obtain  an  external  quality  control  review. 

Contacts  During  the  Audit.  We  contacted  individuals  and  organizations  within 
and  outside  DoD.  Further  details  are  available  upon  request. 
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Management  Control  Program  Review 


DoD  Directive  5010.38,  “Management  Control  (MC)  Program,” 

August  26,  1996,  and  DoD  Instruction  5010.40,  “Management  Control  (MC) 
Program  Procedures,”  August  28,  1996,  require  DoD  organizations  to 
implement  a  comprehensive  system  of  management  controls.  The  controls 
provide  reasonable  assurance  that  programs  are  operating  as  intended  and  to 
evaluate  the  adequacy  of  the  controls. 

Scope  of  the  Review  of  the  Management  Control  Program.  In  accordance 
with  DoD  Directive  5000.1,  DoD  Instruction  5000.2,  “Operation  of  the  Defense 
Acquisition  System,”  October  23,  2000,  and  DoD  Regulation  5000. 2-R, 
“Mandatory  Procedures  for  Major  Defense  Acquisition  Programs  (MDAPs)  and 
Major  Automated  Information  System  (MAIS)  Acquisition  Programs,” 

March  15,  1996  (subsequently  revised  on  January  4,  2001),  acquisition 
managers  are  to  apply  program  cost,  schedule,  and  performance  parameters  to 
control  objectives  for  implementing  DoD  Directive  5010.38  requirements. 
Accordingly,  we  limited  our  review  to  management  controls  directly  related  to 
the  acquisition  management  and  information  security  of  the  GTN  and  not  to 
USTRANSCOM’s  self-evaluation  of  management  controls  for  the  Defense 
Transportation  System. 

Adequacy  of  the  Management  Controls.  Management  controls  for  the  GTN 
information  technology  investment  were  adequate  in  that  we  identified  no 
material  management  control  weaknesses. 

Prior  Coverage 


During  the  last  5  years,  no  reports  addressing  the  GTN  information  technology 
investment  were  issued. 
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Appendix  B.  Mandatory  Guidance 


The  Office  of  Management  and  Budget  and  DoD  provide  managers  with 
guidance  for  managing  risk  and  implementing  management  controls  for 
acquiring  information  technology  investments  and  safeguarding  information 
assets. 


Office  of  Management  and  Budget  Guidance 

Office  of  Management  and  Budget  Circular  No.  A-130,  “Management  of 
Federal  Information  Resources,”  November  30,  2000,  implements  numerous 
public  laws  and  other  Office  of  Management  and  Budget  guidance  that  address 
acquisition  of  information  technology  investments  and  security  of  system  stored 
information  and  software  applications.  In  accordance  with  the  Cohen-Clinger 
Act  of  1996,  the  Circular  requires  that: 

•  Cost  benefit  analyses  be  prepared  for  each  system  throughout  its  life  cycle. 

•  Risks  be  reduced  by  fully  testing  and  prototyping  system  components 
prior  to  deployment,  and  involving  users  in  the  capital  planning  process. 

•  Performance  measures  be  implemented  to  provide  timely  information  on 
the  progress  of  an  information  technology  program  in  terms  of  cost  and 
capability  to  meet  specified  requirements,  timeliness,  and  quality. 

Further,  the  Circular  also  requires  management  controls  for  safeguarding 
information  assets.  Those  controls  include: 

•  the  development  of  security  plans  for  all  systems, 

•  a  security  control  assessment  by  a  management  official  before  a  system 
processes  information,  and 

•  periodic  security  reviews  to  determine  the  effectiveness  of  controls. 


DoD  Guidance 

DoD  Directive  5000.1.  DoD  Directive  5000.1,  “Defense  Acquisition,” 

October  23,  2000,  establishes  a  disciplined  life-cycle  management  approach  for 
acquiring  quality  products.  DoD  Directive  5000. 1  emphasizes  the  need  to 
recognize  fiscal  constraint  and  requires  acquisition  managers  to  work  with  users 
to  trade  off  performance  and  schedule  with  available  funding.  Additionally, 
DoD  Directive  5000. 1  requires  DoD  Components  to  maximize  program  stability 
by  developing  realistic  program  schedules,  investment  plans,  and  affordability 
assessments. 
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DoD  Directive  5200.28.  DoD  Directive  5200.28,  “Security  Requirements  for 
Automated  Information  Systems  (AISs),”  March  21,  1988,  provides  mandatory 
guidance  for  safeguarding  classified  and  sensitive  unclassified  information.  It 
implements  the  security  safeguard  provisions  of  Office  of  Management  and 
Budget  Circular  A- 130.  It  is  also  a  reference  source  for  DoD  Instruction 
5200.40,  “DoD  Information  Technology  Security  Certification  and 
Accreditation  Process  (DITSCAP),”  December  30,  1997. 

DoD  Directive  8000.1.  DoD  Directive  8000.1.  “Defense  Information 
Management  (IM)  Program,”  October  27,  1992,  establishes  policy  and  assigns 
responsibilities  for  the  collection,  creation,  use,  dissemination,  and  disposition 
of  all  data  and  information  within  DoD.  In  addition,  DoD  Directive  8000.1 
defines  information  security,  integrity  and  survivability  as  basic  to  DoD 
missions.  Also,  DoD  Directive  8000.1  requires  a  disciplined  life-cycle 
approach  to  manage  information  systems. 

DoD  Instruction  5000.2.  DoD  Instruction  5000.2,  “Operation  of  the  Defense 
Acquisition  System,”  Change  1,  January  4,  2001,  establishes  a  general  approach 
for  managing  system  acquisitions  with  best  life-cycle  solutions  for  satisfying 
user  requirements.  DoD  Instruction  5000.2  requires  chief  information  officers 
to  confirm  that  mission-critical  and  -essential  information  systems  are  developed 
in  accordance  with  the  Clinger-Cohen  Act  of  1996  before  approvals  are  granted 
for  milestone  advancements. 

DoD  Regulation  5000.2-R.  Interim  DoD  Regulation  5000. 2-R,  “Mandatory 
Procedures  for  Major  Defense  Acquisition  Programs  (MDAPs)  and  Major 
Automated  Information  System  (MAIS)  Acquisition  Programs,”  January  4,  2001, 
establishes  life-cycle  procedures  for  managing  major  acquisition  programs. 
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Appendix  C.  Report  Distribution 


Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Director,  Business  Policy 

Assistant  Secretary  of  Defense  (Command,  Control,  Communications,  and  Intelligence) 


Department  of  the  Army 

Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretary  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Assistant  Secretary  of  the  Air  Force  (Acquisition) 

Program  Executive  Officer,  Command  and  Control  and  Combat  Support  Systems 
Director,  Office  of  the  Administrative  Assistant,  Secretary  of  the  Air  Force 
Auditor  General,  Department  of  the  Air  Force 


Unified  Command 

Commander  in  Chief,  U.S.  Transportation  Command 


Other  Defense  Organizations 

Director,  Joint  Staff 


Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget 

Office  of  Information  and  Regulatory  Affairs 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Efficiency,  Financial  Management,  and 
Intergovernmental  Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International 
Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  Technology  and  Procurement  Policy,  Committee  on 
Government  Reform 
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